OPINION OF ADVOCATE GENERAL
EMILIOU
delivered on 4 May 2023(1)
Case C‑683/21
Nacionalinis visuomenės sveikatos centras prie Sveikatos apsaugos ministerijos
v
Valstybinė duomenų apsaugos inspekcija,
joined parties:
‘IT sprendimai sėkmei’ UAB,
Lietuvos Respublikos sveikatos apsaugos ministerija
(Request for a preliminary ruling from the Vilniaus apygardos administracinis teismas (Regional Administrative Court, Vilnius, Lithuania))
(Reference for a preliminary ruling – Protection of personal data – Regulation (EU) 2016/679 – Article 4(7) – Concept of ‘controller’ – Development of a mobile application in the context of the COVID-19 pandemic – Responsibility of the public authority in charge of organising the tendering procedure for the acquisition of the mobile application – Article 4(2) – Concept of ‘processing’ – Use of personal data during the test phase of a mobile application – Article 26(1) – Joint control – Article 83 – Imposition of administrative fines – Conditions – Need for the infringement to be deliberate or negligent – Responsibility of the controller for the processing of personal data undertaken by a processor)
I. Introduction
1. In a world where personal data have become a bargaining chip and constitute a newly found goldmine for businesses, under what conditions can administrative fines be imposed to controllers or processors for breach of the data protection rules set out in Regulation (EU) 2016/679? (2) More specifically, is a ‘fault’ element required to be fulfilled before they can be subject to such fines? That is the core issue raised by the Vilniaus apygardos administracinis teismas (Regional Administrative Court, Vilnius, Lithuania) in the present case.
2. The dispute before that court, which arises between the Nacionalinis visuomenės sveikatos centras prie Sveikatos apsaugos ministerijos (National Public Health Centre under the Ministry of Health, Lithuania; ‘the NVSC’) and the Valstybinė duomenų apsaugos inspekcija (State Data Protection Inspectorate, Lithuania; ‘the Inspectorate’), concerns, in essence, the role played by the NVSC in the development and making publicly available of a mobile application which collected, in April and May 2020, the personal data of people who had been in contact with COVID-19-infected patients.
3. Within that context, the present case gives the Court an opportunity to provide additional clarity on the concepts of ‘controller’, ‘joint controllers’ and ‘processing’, defined respectively in Article 4(7), Article 26(1) and Article 4(2) of the GDPR, and to consider, for the first time, whether it is possible, in application of Article 83 of that regulation, to impose an administrative fine on a controller that has not intentionally or negligently committed any breach of the rules contained in the GDPR. That question requires the Court to clarify whether that provision allows fines to be imposed in the absence of any fault, on the basis of strict liability.
II. Legal framework
A. European Union law
4. Recital 148 of the GDPR states:
‘In order to strengthen the enforcement of the rules of this Regulation, penalties including administrative fines should be imposed for any infringement of this Regulation … In a case of a minor infringement or if the fine likely to be imposed would constitute a disproportionate burden to a natural person, a reprimand may be issued instead of a fine. Due regard should however be given to the nature, gravity and duration of the infringement, the intentional character of the infringement, actions taken to mitigate the damage suffered, degree of responsibility or any relevant previous infringements, the manner in which the infringement became known to the supervisory authority, compliance with measures ordered against the controller or processor, adherence to a code of conduct and any other aggravating or mitigating factor. The imposition of penalties including administrative fines should be subject to appropriate procedural safeguards in accordance with the general principles of Union law and the Charter, including effective judicial protection and due process.’
5. Pursuant to recital 150 of that regulation:
‘In order to strengthen and harmonise administrative penalties for infringements of this Regulation, each supervisory authority should have the power to impose administrative fines. This Regulation should indicate infringements and the upper limit and criteria for setting the related administrative fines, which should be determined by the competent supervisory authority in each individual case, taking into account all relevant circumstances of the specific situation, with due regard in particular to the nature, gravity and duration of the infringement and of its consequences and the measures taken to ensure compliance with the obligations under this Regulation and to prevent or mitigate the consequences of the infringement. … Imposing an administrative fine or giving a warning does not affect the application of other powers of the supervisory authorities or of other penalties under this Regulation.’
6. Article 4(7) of the GDPR defines the concept of ‘controller’ as ‘the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data …’.
7. Article 26 of that regulation, entitled ‘Joint controllers’, states in the relevant part:
‘1. Where two or more controllers jointly determine the purposes and means of processing, they shall be joint controllers. …
…’
8. Article 83 of that regulation, entitled ‘General conditions for imposing administrative fines’, provides:
‘1. Each supervisory authority shall ensure that the imposition of administrative fines pursuant to this Article in respect of infringements of this Regulation referred to in paragraphs 4, 5 and 6 shall in each individual case be effective, proportionate and dissuasive.
2. Administrative fines shall, depending on the circumstances of each individual case, be imposed in addition to, or instead of, measures referred to in points (a) to (h) and (j) of Article 58(2). When deciding whether to impose an administrative fine and deciding on the amount of the administrative fine in each individual case due regard shall be given to the following:
(a) the nature, gravity and duration of the infringement taking into account the nature[,] scope or purpose of the processing concerned as well as the number of data subjects affected and the level of damage suffered by them;
(b) the intentional or negligent character of the infringement;
…
(k) any other aggravating or mitigating factor applicable to the circumstances of the case, such as financial benefits gained, or losses avoided, directly or indirectly, from the infringement.
3. If a controller or processor intentionally or negligently, for the same or linked processing operations, infringes several provisions of this Regulation, the total amount of the administrative fine shall not exceed the amount specified for the gravest infringement.
…’
B. Lithuanian law
9. Article 72(2) of the Viešųjų pirkimų įstatymas (Law on Public Procurement) states:
‘The contracting authority shall carry out a negotiated procedure without publication of a contract notice in the following stages:
(1) written invitation to the selected economic operators to submit tenders;
(2) verification as to whether there are any grounds for the exclusion of economic operators as laid down in the procurement documents, and verification as to whether the economic operators fulfil the qualification requirements imposed and, where applicable, meet the required quality assurance standards and/or environmental management standards;
(3) conduct of negotiations with the tenderers in accordance with the procedure established in Article 66 of this law and the request for them to submit final tenders. The contracting authority shall not be required to request the submission of a final tender in the case of one economic operator participating in the negotiated procedure without publication of a prior notice;
(4) evaluation of the final tenders and determination of the successful candidate.’
III. Facts, national proceedings and the questions referred
10. In order to respond to the situation resulting from the spread of COVID-19, the Minister for Health of the Republic of Lithuania (‘the Minister for Health’) instructed, by decision of 24 March 2020, the Director of the NVSC to organise the development and acquisition of a mobile application, namely KARANTINAS. That mobile application was designed to collect and monitor the personal data of individuals who had been in contact with COVID-19-infected patients. (3)
11. On 27 March 2020, a person claiming to be an agent representing the NVSC informed the company ‘IT sprendimai sėkmei’ UAB (‘ITSS’) that it had been selected to be the developer of KARANTINAS. Emails were exchanged between ITSS and that person as well as between ITSS and a number of employees and the Director of the NVSC in relation to the development of that mobile application. A confidentiality agreement was also drawn up at that stage, mentioning both ITSS and the NVSC as controllers.
12. The mobile application that was eventually developed was made available for download by the public from Google Play Store on 4 April 2020, and from Apple App Store on 6 April 2020. Both ITSS and the NVSC were again mentioned as controllers in the version of KARANTINAS that was made available for download by the public. At that time, that mobile application had not yet been purchased by the NVSC.
13. By decision of 10 April 2020, the Minister for Health instructed the Director of the NVSC to proceed with the acquisition of KARANTINAS by negotiated procedure without publication of a contract notice, in application of Article 72(2) of the Law on Public Procurement.
14. That procedure was initiated but, having failed to receive the necessary funding, the NVSC terminated it. No public contract for purchase was thus concluded. KARANTINAS, however, continued to be available for download by the public.
15. On 15 May 2020, the NVSC requested ITSS not to use any details of the NVSC or to draw links with the NVSC in the mobile application. On 18 May 2020, the Inspectorate began an investigation concerning both ITSS and the NVSC for breach of the rules laid down in the GDPR. The operations of KARANTINAS were suspended at the request of the Inspectorate on 26 May 2020. According to ITSS, 3 802 users had provided their personal data via the application between 4 April and 26 May 2020.
16. By decision of 24 February 2021, the Inspectorate imposed administrative fines on the NVSC and on ITSS, in their capacity as joint controllers, for infringement of Articles 5, 13, 24, 32 and 35 of the GDPR. (4)
17. That decision was challenged by the NVSC before the Vilniaus apygardos administracinis teismas (Regional Administrative Court, Vilnius). That court wonders, in essence, whether the concept of ‘controller’, within the meaning of Article 4(7) of the GDPR, must be interpreted broadly so as to include any natural or legal person or body such as the NVSC which is not the developer of a mobile application but which, with a view to acquiring such a mobile application by way of a tendering procedure, determined ‘the purposes and means of the processing of personal data’, or whether that concept ought to be interpreted more strictly, taking into account the public procurement procedure and its outcome.
18. In particular, it wonders whether the fact that the tendering procedure was ultimately abandoned, and KARANTINAS never acquired by the NVSC, is relevant in that regard. It also wonders whether the fact that the NVSC did not officially consent to or authorise the making available of that mobile application to the public has any impact on that assessment.
19. Furthermore, it enquires as to the relationship between the NVSC and ITSS. In that regard, it wonders under which circumstances that entity and that company would have to be regarded as ‘joint controllers’, within the meaning of Article 4(7) and Article 26(1) of the GDPR. Alternatively, if the NVSC and ITSS were not to be regarded as ‘joint controllers’, but as ‘controller’ and ‘processor’ (5) (respectively) within the meaning of the GDPR, it wishes to know when the actions of ITSS could lead to liability for the NVSC. In that regard, it wonders whether Article 83 of the GDPR must be interpreted as meaning that an administrative fine can be imposed on a controller such as the NVSC that has not itself committed any infringement of that regulation intentionally or negligently.
20. In the light of those considerations, the Vilniaus apygardos administracinis teismas (Regional Administrative Court, Vilnius) decided to stay the proceedings and to refer the following questions to the Court of Justice for a preliminary ruling:
‘(1) Can the concept of “controller” set out in Article 4(7) of the GDPR be interpreted as meaning that a person who is planning to acquire a data collection tool (mobile application) by way of public procurement, irrespective of the fact that a public procurement contract has not been concluded and that the created product (mobile application), for the acquisition of which a public procurement procedure had been used, has not been transferred, is also to be regarded as a controller?
(2) Can the concept of “controller” set out in Article 4(7) of the GDPR be interpreted as meaning that a contracting authority which has not acquired the right of ownership of the created IT product and has not taken possession of it, but where the final version of the created application provides links or interfaces to that public entity and/or [where] the confidentiality policy, which was not officially approved or recognised by the public entity in question, specified that public entity itself as a controller, is also to be regarded as a controller?
(3) Can the concept of “controller” set out in Article 4(7) of the GDPR be interpreted as meaning that a person who has not performed any actual data processing operations as defined in Article 4(2) of the GDPR and/or has not provided clear permission/consent to the performance of such operations is also to be regarded as a controller? Is the fact that the IT product used for the processing of personal data was created in accordance with the assignment formulated by the contracting authority significant for the interpretation of the concept of “controller”?
(4) If the determination of actual data processing operations is relevant for the interpretation of the concept of “controller”, is the definition of “processing” of personal data under Article 4(2) of the GDPR to be interpreted as also covering situations in which copies of personal data have been used for the testing of IT systems in the process for the acquisition of a mobile application?
(5) Can joint control of data in accordance with Article 4(7) and Article 26(1) of the GDPR be interpreted exclusively as involving deliberately coordinated actions in respect of the determination of the purpose and means of data processing, or can that concept also be interpreted as meaning that joint control also covers situations in which there is no clear “arrangement” in respect of the purpose and means of data processing and/or actions are not coordinated between the entities? Are the circumstance relating to the stage in the creation of the means of personal data processing (IT application) at which personal data were processed and the purpose of the creation of the application legally significant for the interpretation of the concept of joint control of data? Can an “arrangement” between joint controllers be understood exclusively as a clear and defined establishment of terms governing the joint control of data?
(6) Is the provision in Article 83(1) of the GDPR to the effect that “administrative fines … shall … be effective, proportionate and dissuasive” to be interpreted as also covering cases of imposition of liability on the “controller” when, in the process of the creation of an IT product, the developer also performs personal data processing actions, and do the improper personal data processing actions carried out by the processor always give rise automatically to legal liability on the part of the controller? Is that provision to be interpreted as also covering cases of no-fault liability on the part of the controller?’
21. The request for a preliminary ruling, dated 22 October 2021, was registered at the Court on 12 November 2021. The NVSC, the Inspectorate, the Lithuanian Government and the European Commission submitted written observations.
22. The Lithuanian and Netherlands Governments, together with the Commission and the Council, were represented at the hearing which took place on 17 January 2023.
IV. Analysis
23. During the COVID-19 pandemic, mobile applications designed to ‘track and trace’ people infected by the virus and/or those who had been in contact with someone infected by the virus were made available for download by the public in many Member States. Such mobile applications were developed in an effort to respond to the emergency of the situation, often with the participation of several public and private entities (such as ministries and other public entities, as well as private companies). Users were required to upload their personal data in the mobile applications, in particular data concerning their health. (6)
24. The main proceedings concern, precisely, such a mobile application, namely KARANTINAS, which was developed by ITSS (a private company) at the initiative of the NVSC (a public authority) following a decision of the Minister for Health. It is not clear from the information in the case file, nor that provided at the hearing, which other public entities of Lithuania, if any, were involved in the development of the application. (7) Some doubts also exist as to whether the NVSC consented to KARANTINAS being made available to the public during the period when the processing of personal data took place (April and May 2020). However, in the questions referred to the Court, the Vilniaus apygardos administracinis teismas (Regional Administrative Court, Vilnius) identified the following circumstances as being relevant.
– The NVSC had planned to acquire KARANTINAS pursuant to Article 72(2) of the Law on Public Procurement, but the procedure was never completed and the acquisition never occurred. Ownership of KARANTINAS was thus never transferred from ITSS to the NVSC.
– The NVSC was mentioned as a controller in the confidentiality policy of KARANTINAS, which was made available to the public. Links to the NVSC were also included in the last version of the application, which was, however, never officially approved by that entity.
– The NVSC never processed personal data itself nor did it formally consent to the processing operations undertaken, but it provided instructions regarding the development of KARANTINAS and those instructions were followed by ITSS.
– ITSS and the NVSC did not come to any formal arrangement as to the purposes and means of the processing of personal data that took place.
25. Against that background, the questions referred to the Court concern the interpretation of various provisions of the GDPR. The first three questions, as well as the fifth question, call for an interpretation of the concept of ‘controller’, within the meaning of Article 4(7) of that regulation, and require a clarification on the circumstances in which two or more entities can be regarded as ‘joint controllers’, pursuant to that provision and Article 26(1) of that regulation. I will first analyse those questions together (A) before turning to the fourth question, which concerns the concept of ‘processing’, within the meaning of Article 4(2) of the GDPR, and its application in the context of the test phase of a mobile application (B). (8) I will then delve into the issue which is at the heart of the present case, namely the sixth question, which is of a transversal nature since it concerns the conditions under which administrative fines may be imposed on controllers, in application of Article 83 of the GDPR (C).
A. On the concept of ‘controller’ and situations of joint control (Questions 1 to 3 and 5)
26. By the first three questions, the referring court wonders, in essence, whether, in the light of the circumstances detailed in point 24 above, an entity such as the NVSC must be regarded as a ‘controller’, within the meaning of Article 4(7) of the GDPR. Furthermore, by the fifth question, the referring court seeks clarification as to whether, in such circumstances, two entities such as the NVSC and ITSS must be regarded as ‘joint controllers’, in accordance with that provision and Article 26(1) of that regulation, even though they have not come to any formal arrangement as to the purposes and means of the processing and/or do not appear to have otherwise coordinated their actions.
1. What is a controller? (Questions 1 to 3)
27. I recall that, pursuant to Article 4(7) of the GDPR, a ‘controller’ is defined as the person or entity which, ‘alone or jointly with others, determines the purposes and means of the processing of personal data’. Put simply, a controller does not need to process any of the personal data itself, but it must determine the ‘why and how’ of the relevant processing operations. (9) The Court has suggested that, in order to fulfil that criterion, a person or entity must actually ‘[exert] influence over the processing of personal data’. (10) However, it is not necessary that the determination of the purposes and means of the processing be carried out in accordance with written guidelines or instructions from the controller. (11) Indeed, Article 4(7) of the GDPR calls for a factual analysis rather than a formal one.
28. In connection therewith, the European Data Protection Board (EDPB) has suggested that it is also possible to be a controller irrespective of a specific competence or power to control data being conferred by law. Indeed, the capacity to determine the purposes and means of the processing depends, above all, on the influence exercised, which can be inferred from factual circumstances. An entity which is in fact in a position to determine the purposes and means of the processing will thus be regarded as a ‘controller’, irrespective of whether it was formally appointed as such (by law or in a contract or otherwise). (12)
29. Having made those clarifications, I note that several of the circumstances described by the referring court in the first three questions are of a purely formal nature; for example, the fact that the NVCS does not legally own KARANTINAS or that the procedure for the acquisition of that mobile application was never completed, or that the NVSC did not officially authorise the release of the application to the public at large or approve the last version of the application. In my view, none of those circumstances can, in and of themselves, preclude a finding that the NVSC acted as a ‘controller’, within the meaning of Article 4(7) of the GDPR, in the context of the main proceedings. Indeed, they are not sufficient to refute a conclusion that the NVSC was in fact in a position to determine the purposes and means of the processing of personal data that took place. By the same token, it seems to me that the fact that the NVSC was mentioned as a controller in the confidentiality policy of the version of KARANTINAS which was made available for download by the public, or that links to that entity were included in that version of the mobile application, is relevant but not conclusive when it comes to the influence actually exercised by that entity.
30. By contrast, the evidence before the referring court which shows that the NVSC decided which type of personal data should be collected by KARANTINAS and from which data subjects and/or other key aspects of the processing is, in my view, sufficient to establish that that entity determined the ‘means’ of the processing. I further consider that the fact that KARANTINAS was created to fulfil the objective defined by the NVSC, namely to provide a response to the COVID-19 pandemic, and that its functioning was regularly modified by ITSS to respond to the needs determined by the NVSC, in line with the instructions provided by that entity, is enough to conclude that that entity has determined the ‘purposes’ of that processing.
31. Having said that, it seems to me that, in order to determine whether an entity such as the NVSC can be regarded as a ‘controller’ within the meaning of Article 4(7) of the GDPR, the referring court must also establish whether, notwithstanding the influence exercised by the NVSC at the stage of the development of KARANTINAS, the decision to make that mobile application available to the public and, therefore, to engage in the processing of personal data was actually adopted with the (express or implied) consent of that entity (regardless of the fact that that consent was not officially or formally provided).
32. Indeed, as the definition of the concept of ‘controller’ in Article 4(7) of the GDPR makes clear, the influence exercised by a controller must relate to the processing of personal data itself, not just any prior step. A physical or moral person or entity does not become a ‘controller’ by the mere fact that it initiates the development of a mobile application or defines the parameters of that application (or of another data-collecting tool). Its actions must actually be connected to the processing of personal data and it must, therefore, have consented expressly or impliedly to the relevant tool being used to undertake such processing.
33. The Court insisted on that requirement in its judgment in Fashion ID, (13) in which it expressly stated that the liability of a controller is limited to the operation or set of operations involving the processing of personal data in respect of which it actually determined the purposes and means. (14) It follows that the determination of the purposes and means must directly relate to the relevant operation or set of operations involving the processing of personal data.
34. In my view, it follows from those findings that an entity, such as the NVSC, which initiates the development of a mobile application can be regarded as a ‘controller’, within the meaning of Article 4(7) of the GDPR, only in a situation where there are enough elements of a factual, rather than formal, nature from which the national courts can conclude that such an entity exercised actual influence with regards to the ‘purposes and means’ of that processing and that it actually consented to the release of the mobile application to the public and, consequently, to the processing of the personal data. Subject to the verifications to be carried out by the referring court, I believe that the NVSC fulfils those requirements.
2. When can two entities be regarded as joint controllers? (Question 5)
35. The fifth question concerns the conditions that must be satisfied in order for two (or more) entities to be regarded as joint controllers. I understand that the referring court seeks clarity on the interpretation of that concept because it suspects that, in the situation at hand in the main proceedings, the NVSC and ITSS could be regarded as ‘joint controllers’ and, as such, could be jointly and severally liable for the damage caused (15) and/or jointly fined for the breaches of the data protection rules committed when KARANTINAS was made available for download by the public. I note, in that regard, that, as I indicated in point 16 above, that entity and that company were, in fact, both found responsible and fined in application of Article 83 of the GDPR for the infringements committed, in their capacity as joint controllers, by the Inspectorate.
36. Pursuant to Article 26(1) of the GDPR, ‘joint controllers’ exist where two or more controllers jointly determine the purposes and means of processing. Each joint controller must, therefore, independently fulfil the criteria listed in the definition of ‘controller’ provided in Article 4(7) of that regulation. (16) Furthermore, the joint controllers must have a certain relationship with one another, given that their influence over the processing must be exercised jointly.
37. The Court has indicated that the existence of joint control does not necessarily imply equal responsibility or participation of the various persons or entities involved. On the contrary, joint controllers may be involved at different stages of the processing, so that the level of responsibility of each of them must be assessed with regard to all the relevant circumstances in each case. (17) Moreover, joint responsibility of several entities for the same processing does not require each of them to have access to the personal data concerned. (18) What matters, however, is that they jointly participate in the determination of the ‘purposes and means’ of the processing.
38. In that regard, I note that, as the Guidelines 07/2020 state, such joint participation can exist in different forms. It can result from a common decision taken by two or more entities or it can merely result from converging decisions of those entities. Where the latter is the case, it only matters that the decisions complement each other and are necessary for the processing to take place in such a manner that they have a tangible impact on the determination of the purposes and means of the processing – meaning, in essence, that the processing would not be possible without the participation of both parties. (19)
39. Against that background, the referring court wonders whether the fact that two controllers (in casu, the NVSC and ITSS) have not come to any formal arrangement as to the purposes and means of the processing and/or do not appear to have otherwise coordinated their actions precludes them from being regarded as ‘joint controllers’.
40. I understand that the referring court’s doubts in that regard arise from the fact that, pursuant to Article 26(1) of the GDPR, joint controllers must, in a transparent manner, determine their respective responsibilities for compliance with the obligations of that regulation, by means of an arrangement between them. Furthermore, recital 79 of that regulation indicates that ‘clear allocation of the responsibilities’ is required, including where a controller determines the purposes and means of processing jointly with others. However, in my view, those obligations and requirements apply to joint controllers only once they can be regarded as such. They do not form part of the criteria that must be fulfilled in order for them to be qualified as such.
41. As I have stated in point 36 above, joint control depends on only two objective conditions being fulfilled. First, each joint controller must fulfil the criteria listed in the definition of ‘controller’ provided in Article 4(7) of the GDPR. There is not enough information in the case file from which it can be determined whether, in the situation in the main proceedings, ITSS must be regarded as a ‘controller’ within the meaning of that provision. However, it appears to me, in the light of the findings that I have made in the previous section and subject to the verification to be undertaken by the referring court, that at least the NVSC – if not both that entity and ITSS – fulfils the conditions to be considered a ‘controller’, within the meaning of that provision. Second, the controllers’ influence over the processing must be exercised jointly (meaning that it must be exercised in conformity with the legal criteria and case-law which I have recalled in points 37 and 38 above). In that regard, I have explained that joint participation in the processing can exist in different forms and does not even have to proceed from a common decision of the parties involved. As such, the substantive and functional approach required in order to establish whether a person or entity must be regarded as a ‘controller’, within the meaning of Article 4(7) of the GDPR, also applies, in my view, to joint control. (20)
42. Given those elements, I am of the view, first, that the absence of any agreement or arrangement or even common decision between two or more controllers such as the NVSC and ITSS cannot, in and of itself, exclude a finding that they are ‘joint controllers’ within the meaning of Article 4(7) of the GDPR, read in conjunction with Article 26(1) thereof. In that regard, I add that the EDPB has suggested that, although contractual arrangements can be useful in assessing joint control, they should always be checked against the factual circumstances of the relationship between the parties. (21)
43. Second, it also seems to me that simply because the NVSC and ITSS do not appear , beyond the fact that they have not reached an agreement, arrangement or common decision, to have coordinated their actions or otherwise cooperated with one another does not mean that they cannot be regarded as ‘joint controllers’. Even if such coordination or cooperation exists, it is immaterial to the question of whether the relationship between those two entities is one of joint control or not. Indeed, one may easily imagine that cooperation or coordination could exist between two or more entities, without them being joint controllers at all. For example, two separate controllers could be coordinating their actions or cooperating with one another with the intention of transferring personal data between themselves. That would not, however, turn them into ‘joint controllers’ within the meaning of Article 4(7) and Article 26(1) of the GDPR. (22)What matters, as I have explained in point 38 above, is that the processing would not be possible without the participation of both parties because both have a tangible impact on the determination of the purposes and means of that processing.
3. Conclusion on the interpretation of the concept of ‘controller’ and situations of joint control
44. In the light of the foregoing, it seems to me that, on the one hand, subject to the verifications to be carried out by the referring court, an entity such as the NVSC fulfils the conditions listed in Article 4(7) of the GDPR to be regarded as a ‘controller’. On the other hand, whether the NVSC and ITSS can be regarded as ‘joint controllers’, in line with the criteria which I have outlined in the previous section, or qualify as ‘controller’ and ‘processor’, respectively, depends on the nature of their relationship, which it is for the referring court to assess.
45. In that regard, I add that the nature of the relationship between the NVSC and ITSS (namely, whether they are ‘joint controllers’ or, respectively, ‘controller’ and ‘processor’) is relevant to the sixth question. I will therefore return to the findings that I have made with regard to the fifth question when turning to the issues raised by the sixth question.
B. On the concept of ‘processing’ (Question 4)
46. By the fourth question, the referring court wonders, in essence, whether the definition of ‘processing’ provided in Article 4(2) of the GDPR covers a situation where personal data are used during the test phase of a mobile application. (23) I gather from the request for a preliminary ruling that KARANTINAS was put through a test phase before it was made available for download by the public. From my understanding, the fourth question thus concerns a situation which is different from the one at the heart of the other questions referred to the Court, which all relate to the processing of personal data after the run of the test phase, when KARANTINAS was released to the public. Specifically, the referring court wishes to know whether the use of personal data during that test phase qualifies as ‘processing’ within the meaning of Article 4(2) of the GDPR and, as such, could result in potential liability for the controllers and/or processors involved.
47. Article 4(2) of the GDPR defines ‘processing’ as ‘any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means …’. (24)
48. I understand from that wording (in particular from the use of the word ‘any’ and of generic terms such as ‘operation’ or ‘set of operations’) that that provision is to be given a broad meaning, so as to cover as many possible situations in which personal data are used. The non-exhaustive list of such situations, which is laid down in that provision, confirms that interpretation, given the variety of operations that are included therein. (25)
49. Furthermore, whereas it results from the above section that the definition of ‘controller’, within the meaning of Article 4(7) of that regulation, is closely connected to the purposes of the processing of personal data (the reasons ‘why’ personal data are collected), that is not the case for the definition set out in Article 4(2) thereof. As such, the reasons for which an operation or set of operations are carried out is, in principle, irrelevant to the question of whether they must be characterised as ‘processing’, within the meaning of that provision. It follows, in my view, that whether personal data are collected with a view to testing the IT systems embedded in a mobile application or for another purpose has no bearing on the question of whether the operation in question qualifies as ‘processing’.
50. In that regard, I further note that ‘use’ of personal data (without any further mention and, therefore, regardless of the purpose of the use) is listed amongst the operations or sets of operations that constitute ‘processing’. (26) Moreover, Article 4(2) of the GDPR does not contain any express exception, derogation or exclusion for operations relating to the use of personal data for the testing of IT systems. It follows that nothing prevents the use of personal data with a view to performing such testing to be considered as ‘processing’, within the meaning of that provision; quite the contrary.
51. In the light of those elements, I consider that the definition of ‘processing’ provided in Article 4(2) of the GDPR covers a situation where personal data are used during the test phase of a mobile application.
52. My conclusion in that regard is not affected by the mere fact that the personal data provided for the purposes of testing the IT systems embedded in a mobile application may have undergone pseudonymisation. (27) The only circumstance under which the GDPR would not apply is if the information supplied into the mobile application consists only of anonymous information which ‘does not relate to an identified or identifiable natural person or to personal data’ or of personal data that have been ‘rendered anonymous in such a manner that the data subject is not or no longer identifiable’. I note, however, that, in the case in the main proceedings, the data used for the testing phase do not appear, on the basis of the information provided in the case file, to have consisted of such anonymised data. (28)
53. In the light of the foregoing, I consider that the definition of ‘processing’ provided in Article 4(2) of the GDPR covers a situation where personal data are used during the test phase of a mobile application, unless such data have been rendered anonymous in such a manner that the data subject is not or no longer identifiable. Whether personal data are collected with a view to testing the IT systems embedded in a mobile application or for another purpose has, for its part, no bearing on the question of whether the operation in question qualifies as ‘processing’. (29)
54. Having made those clarifications, I shall now turn to the core issue in the present case, which concerns the conditions under which an administrative fine can be imposed on a controller or processor, in application of Article 83 of the GDPR.
C. On administrative fines imposed in application of Article 83 of the GDPR (Question 6)
55. Before the adoption of the GDPR, penalties for breach of the data protection rules were largely left to the discretion of the Member States, pursuant to their procedural and remedial autonomy. (30) Administrative fines, which were introduced by Article 83 of that regulation, are, consequently, a relatively new ‘development’ in EU data protection law. They have been described by the Article 29 Working Party as a ‘central element in the new enforcement regime’. (31) Although that provision has not yet been interpreted by the Court, it has already been applied by supervisory authorities, sometimes to impose heavy fines on controllers or processors. (32)
56. Article 83 of the GDPR provides a two-tier sanction system, depending on the specific type of provision infringed. Whereas the first tier, defined in Article 83(4) of that regulation, applies to situations where a controller or processor breaches the general obligations to which they are subject, as well as certain specific obligations, the second tier is reserved, as Article 83(5) of the GDPR indicates, for more serious infringements, such as infringements of, inter alia, the basic principles for processing, the data subjects’ rights, and the rules relating to the transfer of personal data to a recipient in a third country or an international organisation.
57. For both tiers, the competent national authorities must, after they have established that a particular provision of the GDPR has been infringed, perform two assessments. First, they must determine whether a fine should be imposed and, second, where they have so determined, they must set the amount of that fine. Those assessments must be carried out in each individual case, in the light of various factors listed in Article 83(2) of the GDPR. Among those factors is the ‘intentional or negligent character of the infringement’ (Article 83(2)(b) thereof).
58. By its sixth question, the referring court wonders, in essence, whether an administrative fine can be imposed on a controller when the controller did not act intentionally or negligently in breaching the data protection rules and the unlawful processing of personal data was done, not by the controller itself, but by a processor. Returning to the findings that I have made above with regard to the fifth question, it seems to me that the sixth question is asked in the event that, in the main proceedings, the NVSC and ITSS could not be regarded as ‘joint controllers’, within the meaning of Article 4(7) of the GDPR, read in conjunction with Article 26(1) of that regulation, and would have to be considered ‘controller’ and ‘processor’, respectively. Within that particular framework, the referring court would like to clarify the circumstances under which the NVSC may be fined, in application of Article 83 of the GDPR.
59. Having said that, I note that the sixth question mentions only Article 83(1) of the GDPR as the relevant provision. However, in my view, the issues raised by that question require one to consider Article 83 of that regulation as a whole and, in particular, as I have explained in point 57 above, to take into account Article 83(2)(b) thereof, given that that provision refers to the ‘intentional or negligent character of the infringement’. I will thus consider the sixth question to enquire about the interpretation of Article 83 of the GDPR as a whole, not just Article 83(1) thereof.
60. In my view, that question has two parts to it. First, it requires the Court to determine whether Article 83 of the GDPR allows administrative fines in general to be imposed on controllers or processors in the absence of any mens rea (mental element – fault). In essence, the referring court would like to know whether the NVSC could be fined on the simple basis that it breached the obligations imposed on it by virtue of being a controller (strict liability), or whether an element of fault in committing the relevant breach(es) is required. Second, it calls for clarification as to whether the fact that the unlawful processing of personal data was not done by the controller itself but by a processor affects, in any way, the ability of supervisory authorities to impose a fine on the controller.
61. I will consider each of those two aspects in turn.
1. The first aspect: the need to establish fault
62. Article 83 of the GDPR requires every administrative fine imposed for a breach of the data protection rules to be ‘effective, proportionate and dissuasive’. That is made clear by paragraph 1 of that provision. However, that paragraph does not state whether such a fine can be imposed only if fault is also established, that is to say, whether ‘fault’ is a prerequisite to the imposition of any administrative fine.
63. Paragraph 2(b) of that provision, on the other hand, lists the ‘intentional or negligent character of the infringement’ among the elements (33) to which supervisory authorities must have ‘due regard’ in each individual case. Pursuant to Article 83(2)(k) of that regulation, those elements must be understood as ‘aggravating or mitigating [factors]’ and are non-exhaustive.
64. Within that context, there are, in my view, two possible ways to understand Article 83 of the GDPR.
65. On the one hand, one could consider that, although a decision to impose a fine and its amount must be determined having due regard to the degree of fault involved (so that, for instance, a higher fine should in principle be imposed if the infringement was the result of intentional conduct and, conversely, negligent conduct should result in a lower fine), nothing prevents a fine from also being imposed in the absence of any fault, so long as the data processor or controller can be deemed to be responsible for the infringement. That interpretation would be supported by a reading of Article 83(2)(b) and (k) to the effect that, by mentioning different types of fault (deliberate or by negligence) as ‘aggravating or mitigating [factors]’, those provisions could be implying that fault, in general, is not a prerequisite for the imposition of a fine.
66. On the other hand, one could also argue, as the Commission does in the present case, that the negligence of the person or entity that committed the infringement must be established, as a minimum requirement, before a fine can be imposed. That approach would be supported by a different, more cautious reading of Article 83(2)(b) and (k) of the GDPR, namely that those provisions require supervisory authorities to distinguish between a mitigating factor (negligence) and an aggravating one (intention), but do not indicate that a fine could be imposed in the complete absence of fault.
67. The Commission expressly opted for that interpretation in its initial proposal which led to the adoption of the GDPR, (34) in which it suggested to organise the system of fines as a three-tier system. For each tier, the Commission proposed that fines could only be imposed on ‘anyone who, intentionally or negligently’, (35) committed one or more of the alleged infringements. Fault was, thus, clearly envisaged by the Commission as a prerequisite for the imposition of such a fine. (36)
68. Although both approaches can, in my view, be defended based on a textual interpretation of Article 83(2) of the GDPR, as they each correspond to an understanding of the ‘intentional or negligent character of the infringement’ as an ‘aggravating’ or ‘mitigating’ factor, I am of the view that only the second approach properly reflects the intention of the EU legislature. Several reasons guide me to that conclusion.
(a) The reasons why fault is required
69. First, I note that several of the factors listed in Article 83(2) of the GDPR contain specific wording from which it can be inferred that such factors may not apply in all cases, but only in some. In particular, Article 83(2)(c), (e) and (k) all start with the word ‘any’ (‘any action taken by the controller or processor to mitigate the damage …’; ‘any relevant previous infringements …’; ‘any other aggravating or mitigating factor applicable to the circumstances of the case …’), thereby suggesting that, although the supervisory authorities must always take into account whether there is any mitigating action, prior infringement or other relevant aggravating or mitigating factor where such elements are present or proven, there may, in fact, be situations where the same elements are simply absent, and yet the competent data protection authority may still decide to impose a fine (or, conversely, not to impose one). In a similar vein, I note that Article 83(2)(i) of the GDPR is also formulated in a non-systematic manner, as it requires a consideration as to whether the controller or processor has complied with measures referred to in Article 58(2) of that regulation, but only ‘where [such] measures … have previously been ordered against the controller or processor’.
70. Article 83(2)(b), by contrast, mentions ‘the intentional or negligent character of the infringement’. (37) As such, it seems to me to form part of the factors that must be present and, figuratively speaking, whose box must be ‘ticked’, in all cases, before a fine can be imposed, much like ‘the nature, gravity and duration of the infringement …’ (Article 83(2)(a)), ‘the categories of personal data affected …’ (Article 83(2)(g)) and ‘the manner in which the infringement became known …’ (Article 83(2)(h)). Those other factors must also, in my view, be ‘present’ in all cases: for example, the ‘nature, gravity and duration of the infringement’ may differ greatly from one case to another (and may, accordingly, be considered either as a reason ‘for’ or as a reason ‘against’ the imposition of a fine). Yet, in all cases, there will be the nature, some gravity and some duration of the infringement to take into account. In my view, that constitutes first indicia that administrative fines were introduced in Article 83 of the GDPR, so that they only be imposed in situations where the alleged infringement was either intentional or negligent. (38)
71. Second, I note that, although Article 83(2) of the GDPR does not expressly state that the infringement must have occurred ‘intentionally or negligently’, the same cannot be said of paragraph 3 of that provision, which contains a general rule precluding the aggregation of administrative fines. That paragraph mentions only the situation where the relevant infringement(s) occurred ‘intentionally or negligently’.
72. In my view, it logically follows that Article 83(2) of the GDPR must be interpreted as meaning that a fine can be imposed only if the alleged infringement occurred intentionally or negligently. Indeed, if the scope of paragraphs 2 and 3 of Article 83 of the GDPR were different, then it would be possible to impose aggregated fines for less serious infringements (that is to say, those committed without any fault), since, although they could still result in the imposition of a fine in application of the first of those provisions (Article 83(2)), they would not be caught by the second (Article 83(3)). The same would not, however, be possible for infringements committed negligently or intentionally, as they would all be subject to the rule against aggregation contained in Article 83(3) of that regulation. Such an outcome would clearly go against the basic principle of the penalty regime put in place by the GDPR, which is that serious infringements should, in principle, be penalised more strictly than less serious ones, and not the other way around.
73. Third, I note that the fines imposed in application of Article 83 of the GDPR can result in severe punishment. Indeed, the first tier, which is covered by Article 83(4) of that regulation, can lead to the imposition of fines of up to EUR 10 000 000 or, in the case of an undertaking, up to 2% of the total worldwide annual turnover of the preceding financial year, whichever is higher. The second tier provides for fines up to EUR 20 000 000 or, in the case of an undertaking, up to 4% of the total worldwide annual turnover of the preceding financial year (again, whichever is higher).
74. Consequently, it would seem to me that the fines imposed in application of Article 83 of the GDPR pursue a punitive purpose, at least in some situations, (39) and present a high degree of severity such that they are liable to be regarded as being criminal in nature (40) and, thus, as falling within the scope of Article 49 of the Charter of Fundamental Rights of the European Union (‘the Charter’). (41)
75. In the light of those elements and, in particular, of the criminal character of the fines imposed in application of Article 83 of the GDPR, one may be tempted to argue that it would be incompatible with the requirement of paragraph 1 of that provision that fines be, in all cases, not merely ‘effective’ and ‘dissuasive’, but also ‘proportionate’, to allow such fines to be imposed in the absence of fault. In other words, it would be disproportionate to impose fines in cases where not even negligence is established. In my view, that argument is, however, a difficult one to make, given that the Court has already found that a system of penalties or sanctions based on strict liability, even one which is criminal in nature, is not, in itself, disproportionate to the objectives pursued, if that system is such as to encourage the persons concerned to comply with the provisions of a regulation and where the objective pursued is a matter of public interest which may justify the introduction of such a system. (42) Moreover, the European Court of Human Rights (ECtHR) has held, in relation to Article 7 of the European Convention on Human Rights (ECHR) (which corresponds to Article 49 of the Charter), (43) that, although punishment under that provision generally requires the existence of a mental link through which an element of liability may be detected in the conduct of the person who physically committed the offence, that requirement does not preclude the existence of certain forms of objective liability. (44)
76. Having said that, I understand from that case-law that a mens rea is, as a general rule, required in order for a criminal penalty to be imposed, and that strict liability thus constitutes a sort of ‘exception’ to that general rule, to the extent that it must be justified in the light of the objectives pursued by the regulation.
77. Considering the GDPR as a whole, it seems to me that administrative fines were contemplated by the EU legislature as only one of the tools provided in that instrument to ensure effective compliance. Indeed, fines must be imposed ‘in addition to, or instead of,’ the other measures listed in Article 58(2) of that regulation, which confers on supervisory authorities a range of corrective powers (such as the power to issue warnings, reprimands or orders). (45) Furthermore, in situations where no administrative fine is imposed in application of Article 83 of the GDPR, supervisory authorities have the possibility of imposing other penalties pursuant to Article 84 of that regulation. (46)
78. In my view, those provisions make clear that, when adopting that regulation, the EU legislature did not intend for every breach of the data protection rules to be punishable by an administrative fine. Rather, it meant to provide for a flexible and differentiated system of penalties and sanctions. That is confirmed by recital 148 of the GDPR, which provides that supervisory authorities can abstain from imposing an administrative fine, and instead issue a reprimand, in a case of ‘minor infringement or if the fine likely to be imposed would constitute a disproportionate burden to a natural person’. Within that context, limiting the application of Article 83 of the GDPR to situations where negligence is, as a minimum requirement, established is, to my mind, aligned with those objectives and the overarching logic of those different provisions, according to which the imposition of administrative fines should be reserved for certain types of breaches.
79. It also seems to me that, when the EU legislature has shown its wish to introduce strict or presumed liability in the GDPR, it has done so using specific wording which is absent from Article 83 thereof. For example, for civil liability (that is, responsibility of controllers and processors to data subjects), which is covered by Article 82 of the GDPR, the EU legislature has stated that controllers and processors are under a strict obligation to compensate the damage that they cause to data subjects unless they manage to prove that they are not in any way responsible for the events giving rise to the damage. (47) Article 83 of that regulation, by contrast, does not contain similar wording to Article 84 of the GDPR. That, in my view, confirms that the EU legislature did not intend for that provision to introduce a system of fines based on strict or presumed liability.
80. Fourth, and perhaps most importantly, I consider that, in practice, the threshold for a negligent infringement of the GDPR, within the meaning of Article 83(2)(b) of that regulation, is, in any case, so low that it is difficult to envisage situations where it will be impossible to impose a fine for the mere reason that that element is not satisfied. As such, I consider that the mere fact that intention or negligence must be established before a fine can be imposed in application of Article 83 of that regulation does not jeopardize the EU legislature’s objective of guaranteeing the effective enforcement of the data protection rules contained therein, quite the contrary.
81. Some have argued, in that regard, that the mere failure to take any action in a situation where the controller or processor has mere doubts about the legality of the processing undertaken already constitutes deliberate acceptance of potentially infringing the GDPR and, thus, gross negligence. (48) Furthermore, the Article 29 Working Party has suggested that a negligent infringement, in many ways, equates to an ‘unintentional’ infringement, since, in its view, such an infringement can exist where there was no intention to cause the infringement, and the controller or processor merely breached its duty of care. (49) In particular, it has stated that even plain and simple ‘human error’ (50) may be indicative of negligence.
82. Two conclusions come to mind. First, the line between an entirely unintentional no-fault infringement and a negligent one is, in fact, very fine. I believe that supervisory authorities will seldom have difficulty in finding sufficient elements to the effect that the alleged infringement occurred at least negligently. In that regard, I note that it has been said, in the literature, that ‘given the now numerous actions for awareness-raising … to ensure compliance with the GDPR …, it is hard to imagine … infringements of the GDPR without at least negligence present’. (51) I fully agree, and recall that the GDPR specifically aims at ensuring that controllers and processors are aware of the data protection rules, which makes it even more difficult, in my view, to consider that an infringement could occur through no fault at all (not even negligence). (52)
83. Second, that result appears perfectly consistent with the primary objective of the GDPR, which is to ensure a consistent and high level of protection of natural persons within the European Union. (53) Indeed, fines have a deterrent effect. (54) Thanks to the incentive that they create for controllers and processors to comply with the GDPR, they contribute overall to the reinforcement of the protection of data subjects and are, therefore, a key element in ensuring the respect of their rights. (55) In my view, it follows that, while ‘fault’ cannot be dispensed with, the degree of fault required for Article 83 of that regulation to be triggered is sufficiently low, so as to ensure an appropriate level of protection for data subjects.
84. In addition, I would emphasise that that approach which I propose the Court to adopt would also confirm the alignment of the fining system put in place by that provision with that which is laid out in Article 23(1) of Regulation (EC) No 1/2003, (56) for competition law infringements, which also only applies if intention or negligence are established. The fact that that other fining system inspired the wording of Article 83 of the GDPR is borne out by recital 150 thereof, which states that ‘where administrative fines are imposed on an undertaking, an undertaking should be understood to be an undertaking in accordance with Articles 101 and 102 TFEU for those purposes’, and by other similarities between those two fining systems, such as the fact that the amount of the fines can, for undertakings, be based, in both systems, on their turnover. I also note that several of the factors listed in Article 83(2) of the GDPR mirror those which are relevant in order to determine the amount of a fine for infringements of competition law. (57)
85. Having outlined the reasons why I believe that fault must be established before a fine can be imposed on a controller or processor in application of Article 83(2) of the GDPR, it remains for me to say a few words about the line of reasoning put forward by the Council and the Lithuanian Government. According to those parties, it is for the Member States to decide whether fault is required or not before an administrative fine can be imposed.
86. I, for one, simply do not agree with that suggestion.
(b) Why Member States have no margin of appreciation as to whether fault is required
87. It is clear to me that one of the core objectives of the GDPR and, in particular, of Article 83 thereof is to achieve a greater level of harmonisation across the European Union with regard, specifically, to the imposition of fines. (58) As such, I am of the view that, contrary to what the Council and the Lithuanian Government have argued, the EU legislature did not intend for Member States to have discretion as to whether fault is required or not.
88. It is true that additional requirements regarding the procedure to be followed by the supervisory authorities when imposing a fine may be provided for in national legislation (with respect to matters such as the notification of the fine and deadlines for making representations, appeal, enforcement and payment). (59) That is clear from Article 83(8) of the GDPR, which states that the exercise by the supervisory authorities of their fining powers shall be ‘subject to appropriate procedural safeguards’, which are to be provided for by national law, so long as respect of EU law (and particularly with the right to effective judicial remedy and due process) is guaranteed.
89. That discretion cannot, however, extend to the substantive requirements which apply for the imposition of a fine, such as the degree of fault. In my view, that conclusion directly follows from several recitals of that regulation, (60) which indicate that the system of administrative fines put in place by Article 83 of the GDPR was intended by the EU legislature to produce consistent results across the territory of the European Union.
90. For the sake of completeness, I add that, given that fines have a strong impact on competition between undertakings and have significant market repercussions, it is essential, in my view, that Article 83 of the GDPR be applied in a consistent manner, or else it could actually contribute to introducing distortions of competition between undertakings. (61)
2. The second aspect: can a controller be fined for an infringement committed in a context where the unlawful processing was done not by itself but by a processor?
91. By the second part of the sixth question, the referring court wonders, in essence, whether a controller can be fined in application of Article 83 of the GDPR in a context where the unlawful processing of personal data was not carried out by the controller itself, but by a processor (in casu, by ITSS).
92. In my view, that question must be answered in the affirmative.
93. In that regard, I recall that, as I have indicated in point 27 above, a controller does not need to process any of the personal data itself, so long as it determines the ‘why and how’ of the relevant processing operations. I further note that Article 4(8) of the GDPR defines a ‘processor’ as ‘a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller’. (62)
94. Those definitions confirm, in my view, that, within the context of the application of the GDPR, a controller can be held liable and therefore can be fined, in application of Article 83 of that regulation, in a situation where personal data are processed unlawfully, and that unlawful processing was not carried out by the controller itself, but by a processor. That possibility remains in place for so long as such a processor processes personal data on behalf of the controller.
95. That will be the case for so long as the processor acts within the scope of the mandate conferred upon it by the controller and processes data in compliance with the lawful instructions received from the controller. (63) However, if the processor goes beyond the scope of that mandate and uses data received as a processor for its own purposes, and it is clear that the parties are not ‘joint controllers’ within the meaning of Article 4(7) and Article 21(6) of the GDPR, then the controller cannot, in my view, be fined, in application of Article 83 of that regulation, in relation to the unlawful processing that took place.(64)
96. It follows that, in a case such as the one in the main proceedings, a fine can be imposed, in application of Article 83 of the GDPR, on the NVSC, even though personal data were unlawfully processed by ITSS only and the NVSC took no part in the processing. That possibility is open for so long as that company can be considered to have processed personal data on the NVSC’s behalf, which will not be the case if ITSS acted outside of, or in contradiction with, the lawful instructions of the NVSC and used personal data for its own purposes, and it is clear that the NVSC and ITSS did not act as joint controllers.
V. Conclusion
97. In the light of the foregoing, I propose that the Court answer the questions referred for a preliminary ruling by the Vilniaus apygardos administracinis teismas (Regional Administrative Court, Vilnius, Lithuania) as follows:
(1) Article 4(7) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)
must be interpreted as meaning that an entity which initiates the development of a mobile application can only be regarded as the ‘controller’, within the meaning of that provision, in a situation where there are enough elements of a factual, rather than formal, nature from which national courts can conclude that such an entity exercised actual influence as regards both the ‘purposes’ and the ‘means’ of that processing and it actually consented to the release to the public of the mobile application and, consequently, to the processing of the personal data.
(2) That provision, read in conjunction with Article 26(1) of that regulation,
must be interpreted as meaning that, for two or more controllers to be regarded as ‘joint controllers’, two conditions must be satisfied: first, each joint controller must independently fulfil the criteria listed in the definition of ‘controller’ provided in Article 4(7) of that regulation, and, second, the controllers’ influence over the ‘purposes and means’ of the processing must be exercised jointly. Furthermore, the absence of any agreement or even coordination between the controllers cannot, in and of itself, exclude a finding that the controllers are ‘joint controllers’ within the meaning of those provisions.
(3) Article 4(2) of that regulation
must be interpreted as meaning that the concept of ‘processing’ covers a situation where personal data are used during the test phase of a mobile application, unless such data have been rendered anonymous in such a manner that the data subject is not or no longer identifiable. Whether personal data are collected with a view to testing the IT systems embedded in a mobile application or for another purpose has, for its part, no bearing on the question of whether the operation in question qualifies as ‘processing’.
(4) Article 83 of Regulation 2016/679
must be interpreted as meaning that a fine can only be imposed in order to sanction a breach of the rules of that regulation which has been committed ‘intentionally or negligently’. Furthermore, a controller may be fined in application of that provision even though the unlawful processing is carried out by a processor. That possibility is open for so long as it is established that the processor acts on the controller’s behalf. However, if the processor processes personal data outside of, or contrary to, the lawful instructions of the controller and uses the personal data received for its own purposes, and it is clear that the parties are not ‘joint controllers’, within the meaning of Article 4(7) and Article 21(6) of Regulation 2016/679, then the controller cannot be fined, in application of Article 83 of that regulation, in relation to the unlawful processing that took place.